Trust & security
We photograph youth events at scale. We built for that.
Most software adds security as a checklist. SansPost was designed for youth-sports photography from day one, so protection of athletes, families, and each studio's business isn't a feature tier — it's the architecture. This page explains what we do, in plain language.
Every studio is fully separated
Each photography business on SansPost operates in its own isolated space. Photos, galleries, customer records, and payments from one studio are never visible to another — the separation is enforced in the platform's structure, not by policy or good intentions. An automated isolation test suite runs against every change we ship, verifying that no studio can reach another's data.
Encrypted at rest, event by event
Photos and event data are encrypted at rest with AES-256. Every event gets its own encryption key, and those keys are isolated per studio. That granularity matters for deletion: when an event's key is destroyed, its data becomes permanently unreadable — deletion is enforced by cryptography, not by a "deleted" flag that hopes nobody looks.
Built for minors, not retrofitted
- Private by default. Galleries for events involving minors are not publicly listable. Access works through expiring, signed links — there is no way to browse or enumerate them.
- Parents can act directly. Every gallery includes a "remove a child's photos" request. A parent selects the specific photos, the studio reviews the request with those photos pre-selected, and fulfillment deletes them from the platform.
- Face grouping is a controlled feature, off unless enabled. Grouping photos by athlete is configurable per studio and per event, can be required off by a league, and face data is never shared or matched across studios. All face-related data is encrypted at rest like everything else.
- Consent and retention are first-class. Studios track consent per event, and per-event retention limits automatically purge photos and face data on schedule instead of keeping them forever.
- Only selected frames ever upload. The photographer chooses what leaves the camera. The full card is never bulk-uploaded to the internet.
Payments never touch our servers
All payment processing runs on Stripe, including the automatic revenue splits between studios and their photographers. Card numbers go directly from the buyer to Stripe — SansPost never stores, sees, or transmits them.
Accounts and operations
Studio and photographer portal accounts support two-factor authentication, and sign-in attempts are rate-limited. Our own operator console sits behind an additional zero-trust access layer — platform administration is never exposed as a plain login page on the internet.
Who we build on
We deliberately keep the list of companies that touch your data short. SansPost runs on Cloudflare (hosting, storage, and network), uses Stripe for payments, and Resend for transactional email. Each maintains its own independently audited security and compliance programs, which the platform inherits at the infrastructure layer.
Questions, reviews, and requests
Running a legal, IT, or league review? We're glad to walk through any of the above in as much depth as you need. Data questions and deletion requests: privacy@sanspost.com. Everything else: hello@sanspost.com. See also our Privacy Policy.